As a company, we take resilience of our IT infrastructure very seriously, as should any company, but we do not run a formal backup process to our file system.

Download this free guide

The secret to winning - SMEs and cyber security

50% of SMEs plan to spend less than £1000 on cyber defenses in the next year and only 42% of SMEs are concerned about ransomware. Anyone see a problem? Computer Weekly outlines some solutions to this growing naive trend.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Odd you might say, but then we do have three full copies of our file system, each copy located in a geographically separate location and all three copies automatically synchronised overnight. Having two (or more) full copies of a company’s file system held in geographically separate locations is not just good for resilience, it is a cornerstone for business continuity.

But a resilient IT infrastructure goes beyond designing a resilience file system; there is no point having an operational file system at a disaster recovery site if it cannot be accessed and used to support business as usual.

This means you need to ensure that any critical business-as-usual applications can be made available quickly and that staff, customers and remote applications can access the disaster recovery site(s) when required, for example secure remote access mechanisms, domain controller, customer web server and so on – but do not forget voice communications.

A resilient IT system also needs to be a secure and available IT system. Secure means, among other things, up-to-date security patches, not just on servers but also on other infrastructure components, including firewalls, Ethernet switches and network storage.

It means well thought-out configurations and rule sets that are documented and maintained; defence in depth with servers running their own firewalls in addition to any externally facing firewall; and regular IT health checks (not just penetration testing) are carried out and issues addressed.

It also means user access rights should conform to the principle of the least privilege necessary to perform their function and only authorised system administrators should have administrator rights.

Availability includes such items as clean power (spike and RFI removal), uninterrupted power and equipment that is operated comfortably within its capability. Last, but not least, it is important to ensure that the IT systems – at all sites – are fully documented, including a resiliency/disaster recovery plan; and that the documentation is maintained and kept up to date.

The bottom line: Design and build in security and resilience from the beginning, not as an afterthought.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

2 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

The title made me skeptical: with rapid evolution of threats there's no way "to think it through and make safe". But the article actually stresses on disaster recovery and real-time response to emerging threats. Good stuff!